So now we know. The government has set out the legal basis for its mass surveillance of communications data. The director general of the Office for Security and Counter-Terrorism, Charles Farr, has explained – in a confusing departure from a previous argument – that when communication involves a foreign-based platform it can be treated not as "internal", needing a warrant to intercept, but as "external". This comprehensive ruling means that each tweet, each update on a Facebook page, and most webmail becomes a legitimate target with no need for a warrant, even where it is between two British citizens. But since every communication – down to the merest text message – has to be examined to see which category it falls into, literally nothing is truly private.

The legal basis for all this is the Regulation of Investigatory Powers Act (Ripa), hurried through parliament in 2000 with only cursory examination. Like the credit agencies nodding through the poisoned debt packages sold by traders before the 2008 crash, no one fully grasped its implications at the time, and since its passage, the technology landscape has been almost entirely redrawn. In 2000 there was no Facebook, no Twitter and Google had only just moved out of a garage in Menlo Park, California. This is the act that the law professor Conor Gearty has described as an "accomplice to secrecy and official impunity".

Mr Farr argues that the contents of the dragnet created by the Tempora and Prism programs are only examined when evidence gathered from other sources justifies it. But his submission acknowledges that, just as trawling for tuna risks sometimes catching dolphins, sometimes properly private communications will be included. And while in theory the law allows those who fear they have been wrongly put under surveillance to apply for compensation, the Investigatory Powers Tribunal exists only to ensure the law has been followed by all the public bodies that operate under its authority. It will never either admit surveillance has been carried out, which the security services say could drive the subject underground, or deny it, since that risks allowing the subject to operate with impunity. According to the Commons home affairs committee, the Investigatory Powers Tribunal has upheld 0.68% of complaints it has heard. None was against the security services.

British citizens are not indifferent to privacy. There was outrage when a council was found to be using its Ripa powers to monitor residence qualifications for a local school, and widespread disquiet at the information commissioner Richard Thomas's finding back in 2006 that a surveillance society now existed. Yet the implications of the Edward Snowden revelations, of Britain and the US sweeping up the minutiae of our online lives, are still under-appreciated. That needs to change.

The government always insists that the security services are rigorously supervised, their actions scrutinised by judges – who therefore should also be under greater scrutiny – and then by parliament. Yet the intelligence and security committee was completely unaware of the extent of cyberspace surveillance. Parliament must find some backbone in the face of the advance of the security state. Here is a simple prescription. Rather than try to wrestle with the details of the technology, focus on the one vital principle: the right to privacy. Internet communications between UK citizens should be as sacrosanct as a letter.

There needs to be a more transparent relationship between users, providers and the state. The iTunes terms and conditions are longer than Macbeth and probably less read. All licence agreements should be summarised in a page, and be clear just how personal information will and won't be used, with the caveat: we can't guarantee it won't be accessed by the security services. It is a fallacy that those with nothing to hide have nothing to fear. The more personal data is dredged up, the more risk of misuse. But this is not an argument about efficiency, but about the principle of privacy.